Protocol Endpoints

OAuth2 Authorization Endpoint

`OAuth2AuthorizationEndpointConfigurer`提供自定义 OAuth2 Authorization endpoint的能力。它定义了扩展点,这些扩展点让您能够自定义 OAuth2 authorization requests的预处理、主处理和后处理逻辑。

OAuth2AuthorizationEndpointConfigurer provides the ability to customize the OAuth2 Authorization endpoint. It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for OAuth2 authorization requests.

OAuth2AuthorizationEndpointConfigurer 提供以下配置选项:

OAuth2AuthorizationEndpointConfigurer provides the following configuration options:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.authorizationEndpoint(authorizationEndpoint ->
			authorizationEndpoint
				.authorizationRequestConverter(authorizationRequestConverter)   1
				.authorizationRequestConverters(authorizationRequestConvertersConsumer) 2
				.authenticationProvider(authenticationProvider) 3
				.authenticationProviders(authenticationProvidersConsumer)   4
				.authorizationResponseHandler(authorizationResponseHandler) 5
				.errorResponseHandler(errorResponseHandler) 6
				.consentPage("/oauth2/v1/authorize")    7
		);

	return http.build();
}
1 authorizationRequestConverter(): Adds an AuthenticationConverter (pre-processor) used when attempting to extract an OAuth2 authorization request (or consent) from HttpServletRequest to an instance of OAuth2AuthorizationCodeRequestAuthenticationToken or OAuth2AuthorizationConsentAuthenticationToken.
2 authorizationRequestConverters(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter’s allowing the ability to add, remove, or customize a specific `AuthenticationConverter.
3 authenticationProvider(): Adds an AuthenticationProvider (main processor) used for authenticating the OAuth2AuthorizationCodeRequestAuthenticationToken or OAuth2AuthorizationConsentAuthenticationToken.
4 authenticationProviders(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationProvider’s allowing the ability to add, remove, or customize a specific `AuthenticationProvider.
5 authorizationResponseHandler(): The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OAuth2AuthorizationCodeRequestAuthenticationToken and returning the OAuth2AuthorizationResponse.
6 errorResponseHandler(): The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthorizationCodeRequestAuthenticationException and returning the OAuth2Error response.
7 consentPage(): The URI of the custom consent page to redirect resource owners to if consent is required during the authorization request flow.

OAuth2AuthorizationEndpointConfigurer 配置 OAuth2AuthorizationEndpointFilter 并将其注册到 OAuth2 授权服务器 SecurityFilterChain @BeanOAuth2AuthorizationEndpointFilter 是负责处理 OAuth2 授权请求(以及同意)的 Filter

OAuth2AuthorizationEndpointConfigurer configures the OAuth2AuthorizationEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OAuth2AuthorizationEndpointFilter is the Filter that processes OAuth2 authorization requests (and consents).

OAuth2AuthorizationEndpointFilter 使用以下默认值进行配置:

OAuth2AuthorizationEndpointFilter is configured with the following defaults:

  • AuthenticationConverter — A DelegatingAuthenticationConverter composed of OAuth2AuthorizationCodeRequestAuthenticationConverter and OAuth2AuthorizationConsentAuthenticationConverter.

  • AuthenticationManager — An AuthenticationManager composed of OAuth2AuthorizationCodeRequestAuthenticationProvider and OAuth2AuthorizationConsentAuthenticationProvider.

  • AuthenticationSuccessHandler — An internal implementation that handles an “authenticated” OAuth2AuthorizationCodeRequestAuthenticationToken and returns the OAuth2AuthorizationResponse.

  • AuthenticationFailureHandler — An internal implementation that uses the OAuth2Error associated with the OAuth2AuthorizationCodeRequestAuthenticationException and returns the OAuth2Error response.

Customizing Authorization Request Validation

OAuth2AuthorizationCodeRequestAuthenticationValidator 是用于验证授权码授予中使用的特殊 OAuth2 授权请求参数的默认验证器。默认实现将验证 redirect_uriscope 参数。如果验证失败,将会抛出 OAuth2AuthorizationCodeRequestAuthenticationException

OAuth2AuthorizationCodeRequestAuthenticationValidator is the default validator used for validating specific OAuth2 authorization request parameters used in the Authorization Code Grant. The default implementation validates the redirect_uri and scope parameters. If validation fails, an OAuth2AuthorizationCodeRequestAuthenticationException is thrown.

OAuth2AuthorizationCodeRequestAuthenticationProvider 提供了通过将类型为 Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> 的自定义验证器提供给 setAuthenticationValidator() 来覆盖默认授权请求验证的功能。

OAuth2AuthorizationCodeRequestAuthenticationProvider provides the ability to override the default authorization request validation by supplying a custom authentication validator of type Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> to setAuthenticationValidator().

OAuth2AuthorizationCodeRequestAuthenticationContext 持有 OAuth2AuthorizationCodeRequestAuthenticationToken,其中包含 OAuth2 授权请求参数。

OAuth2AuthorizationCodeRequestAuthenticationContext holds the OAuth2AuthorizationCodeRequestAuthenticationToken, which contains the OAuth2 authorization request parameters.

如果验证失败,则验证授权者 MUST 抛出 OAuth2AuthorizationCodeRequestAuthenticationException

If validation fails, the authentication validator MUST throw OAuth2AuthorizationCodeRequestAuthenticationException.

生命周期开发阶段中一个常见的用例是允许 localhost 出现 redirect_uri 参数中。

A common use case during the development life cycle phase is to allow for localhost in the redirect_uri parameter.

以下示例演示如何使用允许 localhost 出现 redirect_uri 参数中的自定义验证器对 OAuth2AuthorizationCodeRequestAuthenticationProvider 进行配置:

The following example shows how to configure OAuth2AuthorizationCodeRequestAuthenticationProvider with a custom authentication validator that allows for localhost in the redirect_uri parameter:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.authorizationEndpoint(authorizationEndpoint ->
			authorizationEndpoint
				.authenticationProviders(configureAuthenticationValidator())
		);

	return http.build();
}

private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
	return (authenticationProviders) ->
		authenticationProviders.forEach((authenticationProvider) -> {
			if (authenticationProvider instanceof OAuth2AuthorizationCodeRequestAuthenticationProvider) {
				Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator =
					// Override default redirect_uri validator
					new CustomRedirectUriValidator()
						// Reuse default scope validator
						.andThen(OAuth2AuthorizationCodeRequestAuthenticationValidator.DEFAULT_SCOPE_VALIDATOR);

				((OAuth2AuthorizationCodeRequestAuthenticationProvider) authenticationProvider)
					.setAuthenticationValidator(authenticationValidator);
			}
		});
}

static class CustomRedirectUriValidator implements Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> {

	@Override
	public void accept(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
		OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
			authenticationContext.getAuthentication();
		RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
		String requestedRedirectUri = authorizationCodeRequestAuthentication.getRedirectUri();

		// Use exact string matching when comparing client redirect URIs against pre-registered URIs
		if (!registeredClient.getRedirectUris().contains(requestedRedirectUri)) {
			OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST);
			throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, null);
		}
	}
}

OAuth2 Device Authorization Endpoint

`OAuth2DeviceAuthorizationEndpointConfigurer`提供了自定义 OAuth2 Device Authorization endpoint的能力。它定义了扩展点,这些扩展点让您能够自定义 OAuth2 设备授权请求的预处理、主处理和后处理逻辑。

OAuth2DeviceAuthorizationEndpointConfigurer provides the ability to customize the OAuth2 Device Authorization endpoint. It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for OAuth2 device authorization requests.

OAuth2DeviceAuthorizationEndpointConfigurer 提供以下配置选项:

OAuth2DeviceAuthorizationEndpointConfigurer provides the following configuration options:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.deviceAuthorizationEndpoint(deviceAuthorizationEndpoint ->
			deviceAuthorizationEndpoint
				.deviceAuthorizationRequestConverter(deviceAuthorizationRequestConverter) 1
				.deviceAuthorizationRequestConverters(deviceAuthorizationRequestConvertersConsumer) 2
				.authenticationProvider(authenticationProvider) 3
				.authenticationProviders(authenticationProvidersConsumer) 4
				.deviceAuthorizationResponseHandler(deviceAuthorizationResponseHandler) 5
				.errorResponseHandler(errorResponseHandler) 6
				.verificationUri("/oauth2/v1/device_verification") 7
		);

	return http.build();
}
1 deviceAuthorizationRequestConverter(): Adds an AuthenticationConverter (pre-processor) used when attempting to extract an OAuth2 device authorization request from HttpServletRequest to an instance of OAuth2DeviceAuthorizationRequestAuthenticationToken.
2 deviceAuthorizationRequestConverters(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter’s allowing the ability to add, remove, or customize a specific `AuthenticationConverter.
3 authenticationProvider(): Adds an AuthenticationProvider (main processor) used for authenticating the OAuth2DeviceAuthorizationRequestAuthenticationToken.
4 authenticationProviders(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationProvider’s allowing the ability to add, remove, or customize a specific `AuthenticationProvider.
5 deviceAuthorizationResponseHandler(): The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OAuth2DeviceAuthorizationRequestAuthenticationToken and returning the OAuth2DeviceAuthorizationResponse.
6 errorResponseHandler(): The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the OAuth2Error response.
7 verificationUri(): The URI of the custom end-user verification page to direct resource owners to on a secondary device.

OAuth2DeviceAuthorizationEndpointConfigurer 配置 OAuth2DeviceAuthorizationEndpointFilter 并将其注册到 OAuth2 授权服务器 SecurityFilterChain @BeanOAuth2DeviceAuthorizationEndpointFilter 是负责处理 OAuth2 设备授权请求的 Filter

OAuth2DeviceAuthorizationEndpointConfigurer configures the OAuth2DeviceAuthorizationEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OAuth2DeviceAuthorizationEndpointFilter is the Filter that processes OAuth2 device authorization requests.

OAuth2DeviceAuthorizationEndpointFilter 使用以下默认值进行配置:

OAuth2DeviceAuthorizationEndpointFilter is configured with the following defaults:

  • AuthenticationConverter — An OAuth2DeviceAuthorizationRequestAuthenticationConverter.

  • AuthenticationManager — An AuthenticationManager composed of OAuth2DeviceAuthorizationRequestAuthenticationProvider.

  • AuthenticationSuccessHandler — An internal implementation that handles an “authenticated” OAuth2DeviceAuthorizationRequestAuthenticationToken and returns the OAuth2DeviceAuthorizationResponse.

  • AuthenticationFailureHandler — An OAuth2ErrorAuthenticationFailureHandler.

OAuth2 Device Verification Endpoint

`OAuth2DeviceVerificationEndpointConfigurer`提供了自定义 OAuth2 Device Verification endpoint(或“用户交互”)的能力。它定义了扩展点,这些扩展点让您能够自定义 OAuth2 设备验证请求的预处理、主处理和后处理逻辑。

OAuth2DeviceVerificationEndpointConfigurer provides the ability to customize the OAuth2 Device Verification endpoint (or "User Interaction"). It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for OAuth2 device verification requests.

OAuth2DeviceVerificationEndpointConfigurer 提供了以下配置选项:

OAuth2DeviceVerificationEndpointConfigurer provides the following configuration options:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.deviceVerificationEndpoint(deviceVerificationEndpoint ->
			deviceVerificationEndpoint
				.deviceVerificationRequestConverter(deviceVerificationRequestConverter) 1
				.deviceVerificationRequestConverters(deviceVerificationRequestConvertersConsumer) 2
				.authenticationProvider(authenticationProvider) 3
				.authenticationProviders(authenticationProvidersConsumer) 4
				.deviceVerificationResponseHandler(deviceVerificationResponseHandler) 5
				.errorResponseHandler(errorResponseHandler) 6
				.consentPage("/oauth2/v1/consent") 7
		);

	return http.build();
}
1 deviceVerificationRequestConverter(): Adds an AuthenticationConverter (pre-processor) used when attempting to extract an OAuth2 device verification request (or consent) from HttpServletRequest to an instance of OAuth2DeviceVerificationAuthenticationToken or OAuth2DeviceAuthorizationConsentAuthenticationToken.
2 deviceVerificationRequestConverters(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter’s allowing the ability to add, remove, or customize a specific `AuthenticationConverter.
3 authenticationProvider(): Adds an AuthenticationProvider (main processor) used for authenticating the OAuth2DeviceVerificationAuthenticationToken or OAuth2DeviceAuthorizationConsentAuthenticationToken.
4 authenticationProviders(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationProvider’s allowing the ability to add, remove, or customize a specific `AuthenticationProvider.
5 deviceVerificationResponseHandler(): The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OAuth2DeviceVerificationAuthenticationToken and directing the resource owner to return to their device.
6 errorResponseHandler(): The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the error response.
7 consentPage(): The URI of the custom consent page to redirect resource owners to if consent is required during the device verification request flow.

OAuth2DeviceVerificationEndpointConfigurer 配置 OAuth2DeviceVerificationEndpointFilter,并将其注册到 OAuth2 授权服务器 SecurityFilterChain @Bean 中。OAuth2DeviceVerificationEndpointFilter 是处理 OAuth2 设备验证请求(和同意)的 Filter

OAuth2DeviceVerificationEndpointConfigurer configures the OAuth2DeviceVerificationEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OAuth2DeviceVerificationEndpointFilter is the Filter that processes OAuth2 device verification requests (and consents).

OAuth2DeviceVerificationEndpointFilter 配置了以下默认值:

OAuth2DeviceVerificationEndpointFilter is configured with the following defaults:

  • AuthenticationConverter — A DelegatingAuthenticationConverter composed of OAuth2DeviceVerificationAuthenticationConverter and OAuth2DeviceAuthorizationConsentAuthenticationConverter.

  • AuthenticationManager — An AuthenticationManager composed of OAuth2DeviceVerificationAuthenticationProvider and OAuth2DeviceAuthorizationConsentAuthenticationProvider.

  • AuthenticationSuccessHandler — A SimpleUrlAuthenticationSuccessHandler that handles an “authenticated” OAuth2DeviceVerificationAuthenticationToken and redirects the user to a success page (/?success).

  • AuthenticationFailureHandler — An internal implementation that uses the OAuth2Error associated with the OAuth2AuthenticationException and returns the OAuth2Error response.

OAuth2 Token Endpoint

`OAuth2TokenEndpointConfigurer`提供了自定义 OAuth2 Token endpoint的能力。它定义了扩展点,这些扩展点让您能够自定义 OAuth2 access token requests的预处理、主处理和后处理逻辑。

OAuth2TokenEndpointConfigurer provides the ability to customize the OAuth2 Token endpoint. It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for OAuth2 access token requests.

OAuth2TokenEndpointConfigurer 提供了以下配置选项:

OAuth2TokenEndpointConfigurer provides the following configuration options:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.tokenEndpoint(tokenEndpoint ->
			tokenEndpoint
				.accessTokenRequestConverter(accessTokenRequestConverter)   1
				.accessTokenRequestConverters(accessTokenRequestConvertersConsumer) 2
				.authenticationProvider(authenticationProvider) 3
				.authenticationProviders(authenticationProvidersConsumer)   4
				.accessTokenResponseHandler(accessTokenResponseHandler) 5
				.errorResponseHandler(errorResponseHandler) 6
		);

	return http.build();
}
1 accessTokenRequestConverter(): Adds an AuthenticationConverter (pre-processor) used when attempting to extract an OAuth2 access token request from HttpServletRequest to an instance of OAuth2AuthorizationGrantAuthenticationToken.
2 accessTokenRequestConverters(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter’s allowing the ability to add, remove, or customize a specific `AuthenticationConverter.
3 authenticationProvider(): Adds an AuthenticationProvider (main processor) used for authenticating the OAuth2AuthorizationGrantAuthenticationToken.
4 authenticationProviders(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationProvider’s allowing the ability to add, remove, or customize a specific `AuthenticationProvider.
5 accessTokenResponseHandler(): The AuthenticationSuccessHandler (post-processor) used for handling an OAuth2AccessTokenAuthenticationToken and returning the OAuth2AccessTokenResponse.
6 errorResponseHandler(): The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the OAuth2Error response.

OAuth2TokenEndpointConfigurer 配置 OAuth2TokenEndpointFilter,并将其注册到 OAuth2 授权服务器 SecurityFilterChain @Bean 中。OAuth2TokenEndpointFilter 是处理 OAuth2 访问令牌请求的 Filter

OAuth2TokenEndpointConfigurer configures the OAuth2TokenEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OAuth2TokenEndpointFilter is the Filter that processes OAuth2 access token requests.

所支持的 authorization grant typesauthorization_coderefresh_tokenclient_credentials`和 `urn:ietf:params:oauth:grant-type:device_code

The supported authorization grant types are authorization_code, refresh_token, client_credentials, and urn:ietf:params:oauth:grant-type:device_code.

OAuth2TokenEndpointFilter 配置了以下默认值:

OAuth2TokenEndpointFilter is configured with the following defaults:

  • AuthenticationConverter — A DelegatingAuthenticationConverter composed of OAuth2AuthorizationCodeAuthenticationConverter, OAuth2RefreshTokenAuthenticationConverter, OAuth2ClientCredentialsAuthenticationConverter, OAuth2DeviceCodeAuthenticationConverter, and OAuth2TokenExchangeAuthenticationConverter.

  • AuthenticationManager — An AuthenticationManager composed of OAuth2AuthorizationCodeAuthenticationProvider, OAuth2RefreshTokenAuthenticationProvider, OAuth2ClientCredentialsAuthenticationProvider, OAuth2DeviceCodeAuthenticationProvider, and OAuth2TokenExchangeAuthenticationProvider.

  • AuthenticationSuccessHandler — An OAuth2AccessTokenResponseAuthenticationSuccessHandler.

  • AuthenticationFailureHandler — An OAuth2ErrorAuthenticationFailureHandler.

Customizing Client Credentials Grant Request Validation

OAuth2ClientCredentialsAuthenticationValidator 是用于验证特定 OAuth2 客户端凭证授予请求参数的默认验证器。默认实现验证 scope 参数。如果验证失败,将会抛出 OAuth2AuthenticationException

OAuth2ClientCredentialsAuthenticationValidator is the default validator used for validating specific OAuth2 Client Credentials Grant request parameters. The default implementation validates the scope parameter. If validation fails, an OAuth2AuthenticationException is thrown.

OAuth2ClientCredentialsAuthenticationProvider 提供了通过向 setAuthenticationValidator() 提供类型为 Consumer<OAuth2ClientCredentialsAuthenticationContext> 的自定义验证器来覆盖默认请求验证的能力。

OAuth2ClientCredentialsAuthenticationProvider provides the ability to override the default request validation by supplying a custom authentication validator of type Consumer<OAuth2ClientCredentialsAuthenticationContext> to setAuthenticationValidator().

OAuth2ClientCredentialsAuthenticationContext 持有 OAuth2ClientCredentialsAuthenticationToken,其中包含 OAuth2 客户端凭据授予请求参数。

OAuth2ClientCredentialsAuthenticationContext holds the OAuth2ClientCredentialsAuthenticationToken, which contains the OAuth2 Client Credentials Grant request parameters.

如果验证失败,则验证授权者 MUST 抛出 OAuth2AuthenticationException

If validation fails, the authentication validator MUST throw OAuth2AuthenticationException.

以下示例展示了如何使用覆盖默认 scope 验证的自定义验证器来配置 OAuth2ClientCredentialsAuthenticationProvider

The following example shows how to configure OAuth2ClientCredentialsAuthenticationProvider with a custom authentication validator that overrides the default scope validation:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.tokenEndpoint(tokenEndpoint ->
			tokenEndpoint
				.authenticationProviders(configureAuthenticationValidator())
		);

	return http.build();
}

private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
	return (authenticationProviders) ->
		authenticationProviders.forEach((authenticationProvider) -> {
			if (authenticationProvider instanceof OAuth2ClientCredentialsAuthenticationProvider) {
				Consumer<OAuth2ClientCredentialsAuthenticationContext> authenticationValidator =
					new CustomScopeValidator();

				// Override default scope validation
				((OAuth2ClientCredentialsAuthenticationProvider) authenticationProvider)
					.setAuthenticationValidator(authenticationValidator);
			}
		});
}

static class CustomScopeValidator implements Consumer<OAuth2ClientCredentialsAuthenticationContext> {

	@Override
	public void accept(OAuth2ClientCredentialsAuthenticationContext authenticationContext) {
		OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthentication =
			authenticationContext.getAuthentication();

		Set<String> requestedScopes = clientCredentialsAuthentication.getScopes();
		RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
		Set<String> allowedScopes = registeredClient.getScopes();

        // TODO Implement scope validation

	}
}

OAuth2 Token Introspection Endpoint

`OAuth2TokenIntrospectionEndpointConfigurer`提供了自定义 OAuth2 Token Introspection endpoint的能力。它定义了扩展点,这些扩展点让您能够自定义 OAuth2 introspection requests的预处理、主处理和后处理逻辑。

OAuth2TokenIntrospectionEndpointConfigurer provides the ability to customize the OAuth2 Token Introspection endpoint. It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for OAuth2 introspection requests.

OAuth2TokenIntrospectionEndpointConfigurer 提供了以下配置选项:

OAuth2TokenIntrospectionEndpointConfigurer provides the following configuration options:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.tokenIntrospectionEndpoint(tokenIntrospectionEndpoint ->
			tokenIntrospectionEndpoint
				.introspectionRequestConverter(introspectionRequestConverter)   1
				.introspectionRequestConverters(introspectionRequestConvertersConsumer) 2
				.authenticationProvider(authenticationProvider) 3
				.authenticationProviders(authenticationProvidersConsumer)   4
				.introspectionResponseHandler(introspectionResponseHandler) 5
				.errorResponseHandler(errorResponseHandler) 6
		);

	return http.build();
}
1 introspectionRequestConverter(): Adds an AuthenticationConverter (pre-processor) used when attempting to extract an OAuth2 introspection request from HttpServletRequest to an instance of OAuth2TokenIntrospectionAuthenticationToken.
2 introspectionRequestConverters(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter’s allowing the ability to add, remove, or customize a specific `AuthenticationConverter.
3 authenticationProvider(): Adds an AuthenticationProvider (main processor) used for authenticating the OAuth2TokenIntrospectionAuthenticationToken.
4 authenticationProviders(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationProvider’s allowing the ability to add, remove, or customize a specific `AuthenticationProvider.
5 introspectionResponseHandler(): The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OAuth2TokenIntrospectionAuthenticationToken and returning the OAuth2TokenIntrospection response.
6 errorResponseHandler(): The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the OAuth2Error response.

OAuth2TokenIntrospectionEndpointConfigurer 配置 OAuth2TokenIntrospectionEndpointFilter,并将其注册到 OAuth2 授权服务器 SecurityFilterChain @Bean 中。OAuth2TokenIntrospectionEndpointFilter 是处理 OAuth2 自省请求的 Filter

OAuth2TokenIntrospectionEndpointConfigurer configures the OAuth2TokenIntrospectionEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OAuth2TokenIntrospectionEndpointFilter is the Filter that processes OAuth2 introspection requests.

OAuth2TokenIntrospectionEndpointFilter 配置了以下默认值:

OAuth2TokenIntrospectionEndpointFilter is configured with the following defaults:

  • AuthenticationConverter — An OAuth2TokenIntrospectionAuthenticationConverter.

  • AuthenticationManager — An AuthenticationManager composed of OAuth2TokenIntrospectionAuthenticationProvider.

  • AuthenticationSuccessHandler — An internal implementation that handles an “authenticated” OAuth2TokenIntrospectionAuthenticationToken and returns the OAuth2TokenIntrospection response.

  • AuthenticationFailureHandler — An OAuth2ErrorAuthenticationFailureHandler.

OAuth2 Token Revocation Endpoint

`OAuth2TokenRevocationEndpointConfigurer`提供了自定义 OAuth2 Token Revocation endpoint的能力。它定义了扩展点,这些扩展点让您能够自定义 OAuth2 revocation requests的预处理、主处理和后处理逻辑。

OAuth2TokenRevocationEndpointConfigurer provides the ability to customize the OAuth2 Token Revocation endpoint. It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for OAuth2 revocation requests.

OAuth2TokenRevocationEndpointConfigurer 提供了以下配置选项:

OAuth2TokenRevocationEndpointConfigurer provides the following configuration options:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.tokenRevocationEndpoint(tokenRevocationEndpoint ->
			tokenRevocationEndpoint
				.revocationRequestConverter(revocationRequestConverter) 1
				.revocationRequestConverters(revocationRequestConvertersConsumer)   2
				.authenticationProvider(authenticationProvider) 3
				.authenticationProviders(authenticationProvidersConsumer)   4
				.revocationResponseHandler(revocationResponseHandler)   5
				.errorResponseHandler(errorResponseHandler) 6
		);

	return http.build();
}
1 revocationRequestConverter(): Adds an AuthenticationConverter (pre-processor) used when attempting to extract an OAuth2 revocation request from HttpServletRequest to an instance of OAuth2TokenRevocationAuthenticationToken.
2 revocationRequestConverters(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter’s allowing the ability to add, remove, or customize a specific `AuthenticationConverter.
3 authenticationProvider(): Adds an AuthenticationProvider (main processor) used for authenticating the OAuth2TokenRevocationAuthenticationToken.
4 authenticationProviders(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationProvider’s allowing the ability to add, remove, or customize a specific `AuthenticationProvider.
5 revocationResponseHandler(): The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OAuth2TokenRevocationAuthenticationToken and returning the OAuth2 revocation response.
6 errorResponseHandler(): The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the OAuth2Error response.

OAuth2TokenRevocationEndpointConfigurer 配置 OAuth2TokenRevocationEndpointFilter,并将其注册到 OAuth2 授权服务器 SecurityFilterChain @Bean 中。OAuth2TokenRevocationEndpointFilter 是处理 OAuth2 撤销请求的 Filter

OAuth2TokenRevocationEndpointConfigurer configures the OAuth2TokenRevocationEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OAuth2TokenRevocationEndpointFilter is the Filter that processes OAuth2 revocation requests.

OAuth2TokenRevocationEndpointFilter 配置了以下默认值:

OAuth2TokenRevocationEndpointFilter is configured with the following defaults:

  • AuthenticationConverter — An OAuth2TokenRevocationAuthenticationConverter.

  • AuthenticationManager — An AuthenticationManager composed of OAuth2TokenRevocationAuthenticationProvider.

  • AuthenticationSuccessHandler — An internal implementation that handles an “authenticated” OAuth2TokenRevocationAuthenticationToken and returns the OAuth2 revocation response.

  • AuthenticationFailureHandler — An OAuth2ErrorAuthenticationFailureHandler.

OAuth2 Authorization Server Metadata Endpoint

`OAuth2AuthorizationServerMetadataEndpointConfigurer`提供了自定义 OAuth2 Authorization Server Metadata endpoint的能力。它定义了一个扩展点,该扩展点让您能够自定义 OAuth2 Authorization Server Metadata response

OAuth2AuthorizationServerMetadataEndpointConfigurer provides the ability to customize the OAuth2 Authorization Server Metadata endpoint. It defines an extension point that lets you customize the OAuth2 Authorization Server Metadata response.

OAuth2AuthorizationServerMetadataEndpointConfigurer 提供以下配置选项:

OAuth2AuthorizationServerMetadataEndpointConfigurer provides the following configuration option:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.authorizationServerMetadataEndpoint(authorizationServerMetadataEndpoint ->
			authorizationServerMetadataEndpoint
				.authorizationServerMetadataCustomizer(authorizationServerMetadataCustomizer));   1

	return http.build();
}
1 authorizationServerMetadataCustomizer(): The Consumer providing access to the OAuth2AuthorizationServerMetadata.Builder allowing the ability to customize the claims of the Authorization Server’s configuration.

OAuth2AuthorizationServerMetadataEndpointConfigurer`配置 `OAuth2AuthorizationServerMetadataEndpointFilter`并将它注册到 OAuth2 授权服务器 `SecurityFilterChain @Bean`中。`OAuth2AuthorizationServerMetadataEndpointFilter`是返回 OAuth2AuthorizationServerMetadata response的 `Filter

OAuth2AuthorizationServerMetadataEndpointConfigurer configures the OAuth2AuthorizationServerMetadataEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OAuth2AuthorizationServerMetadataEndpointFilter is the Filter that returns the OAuth2AuthorizationServerMetadata response.

JWK Set Endpoint

`OAuth2AuthorizationServerConfigurer`提供了对 JWK Set endpoint的支持。

OAuth2AuthorizationServerConfigurer provides support for the JWK Set endpoint.

OAuth2AuthorizationServerConfigurer`配置 `NimbusJwkSetEndpointFilter`并将它注册到 OAuth2 授权服务器 `SecurityFilterChain @Bean`中。`NimbusJwkSetEndpointFilter`是返回 JWK Set的 `Filter

OAuth2AuthorizationServerConfigurer configures the NimbusJwkSetEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. NimbusJwkSetEndpointFilter is the Filter that returns the JWK Set.

如果一个 JWKSource<SecurityContext> @Bean 已注册,则 JWK 集端点 only 已配置。

The JWK Set endpoint is configured only if a JWKSource<SecurityContext> @Bean is registered.

OpenID Connect 1.0 Provider Configuration Endpoint

`OidcProviderConfigurationEndpointConfigurer`提供了自定义 OpenID Connect 1.0 Provider Configuration endpoint的能力。它定义了一个扩展点,该扩展点让您能够自定义 OpenID Provider Configuration response

OidcProviderConfigurationEndpointConfigurer provides the ability to customize the OpenID Connect 1.0 Provider Configuration endpoint. It defines an extension point that lets you customize the OpenID Provider Configuration response.

OidcProviderConfigurationEndpointConfigurer 提供以下配置选项:

OidcProviderConfigurationEndpointConfigurer provides the following configuration option:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.oidc(oidc ->
			oidc
				.providerConfigurationEndpoint(providerConfigurationEndpoint ->
					providerConfigurationEndpoint
						.providerConfigurationCustomizer(providerConfigurationCustomizer)   1
				)
		);

	return http.build();
}
1 providerConfigurationCustomizer(): The Consumer providing access to the OidcProviderConfiguration.Builder allowing the ability to customize the claims of the OpenID Provider’s configuration.

OidcProviderConfigurationEndpointConfigurer`配置 `OidcProviderConfigurationEndpointFilter`并将它注册到 OAuth2 授权服务器 `SecurityFilterChain @Bean`中。`OidcProviderConfigurationEndpointFilter`是返回 OidcProviderConfiguration response的 `Filter

OidcProviderConfigurationEndpointConfigurer configures the OidcProviderConfigurationEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OidcProviderConfigurationEndpointFilter is the Filter that returns the OidcProviderConfiguration response.

OpenID Connect 1.0 Logout Endpoint

`OidcLogoutEndpointConfigurer`提供了自定义 OpenID Connect 1.0 Logout endpoint的能力。它定义了扩展点,这些扩展点让您能够自定义 RP 发起的注销请求的预处理、主处理和后处理逻辑。

OidcLogoutEndpointConfigurer provides the ability to customize the OpenID Connect 1.0 Logout endpoint. It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for RP-Initiated Logout requests.

OidcLogoutEndpointConfigurer 提供以下配置选项:

OidcLogoutEndpointConfigurer provides the following configuration options:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.oidc(oidc ->
			oidc
				.logoutEndpoint(logoutEndpoint ->
					logoutEndpoint
						.logoutRequestConverter(logoutRequestConverter) 1
						.logoutRequestConverters(logoutRequestConvertersConsumer)   2
						.authenticationProvider(authenticationProvider) 3
						.authenticationProviders(authenticationProvidersConsumer)   4
						.logoutResponseHandler(logoutResponseHandler)   5
						.errorResponseHandler(errorResponseHandler) 6
				)
		);

	return http.build();
}
1 logoutRequestConverter(): Adds an AuthenticationConverter (pre-processor) used when attempting to extract a Logout request from HttpServletRequest to an instance of OidcLogoutAuthenticationToken.
2 logoutRequestConverters(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter’s allowing the ability to add, remove, or customize a specific `AuthenticationConverter.
3 authenticationProvider(): Adds an AuthenticationProvider (main processor) used for authenticating the OidcLogoutAuthenticationToken.
4 authenticationProviders(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationProvider’s allowing the ability to add, remove, or customize a specific `AuthenticationProvider.
5 logoutResponseHandler(): The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OidcLogoutAuthenticationToken and performing the logout.
6 errorResponseHandler(): The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the error response.

OidcLogoutEndpointConfigurer`配置 `OidcLogoutEndpointFilter`并将它注册到 OAuth2 授权服务器 `SecurityFilterChain @Bean`中。`OidcLogoutEndpointFilter`是处理 RP-Initiated Logout requests并执行最终用户注销的 `Filter

OidcLogoutEndpointConfigurer configures the OidcLogoutEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OidcLogoutEndpointFilter is the Filter that processes RP-Initiated Logout requests and performs the logout of the End-User.

OidcLogoutEndpointFilter 配置了以下默认值:

OidcLogoutEndpointFilter is configured with the following defaults:

  • AuthenticationConverter — An OidcLogoutAuthenticationConverter.

  • AuthenticationManager — An AuthenticationManager composed of OidcLogoutAuthenticationProvider.

  • AuthenticationSuccessHandler — An internal implementation that handles an “authenticated” OidcLogoutAuthenticationToken and performs the logout.

  • AuthenticationFailureHandler — An internal implementation that uses the OAuth2Error associated with the OAuth2AuthenticationException and returns the OAuth2Error response.

OidcLogoutAuthenticationProvider 使用 SessionRegistry 查找与请求登出的最终用户关联的 SessionInformation 实例。

OidcLogoutAuthenticationProvider uses a SessionRegistry to look up the SessionInformation instance associated to the End-User requesting to be logged out.

OidcClientInitiatedLogoutSuccessHandler 是 Spring Security 的 OAuth2 客户端支持中用于配置 OpenID Connect 1.0 RP-Initiated Logout 的相应配置。

OidcClientInitiatedLogoutSuccessHandler is the corresponding configuration in Spring Security’s OAuth2 Client support for configuring OpenID Connect 1.0 RP-Initiated Logout.

OpenID Connect 1.0 UserInfo Endpoint

`OidcUserInfoEndpointConfigurer`提供了自定义 OpenID Connect 1.0 UserInfo endpoint的能力。它定义了扩展点,这些扩展点让您能够自定义 UserInfo requests的预处理、主处理和后处理逻辑。

OidcUserInfoEndpointConfigurer provides the ability to customize the OpenID Connect 1.0 UserInfo endpoint. It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for UserInfo requests.

OidcUserInfoEndpointConfigurer 提供以下配置选项:

OidcUserInfoEndpointConfigurer provides the following configuration options:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.oidc(oidc ->
			oidc
				.userInfoEndpoint(userInfoEndpoint ->
					userInfoEndpoint
						.userInfoRequestConverter(userInfoRequestConverter) 1
						.userInfoRequestConverters(userInfoRequestConvertersConsumer) 2
						.authenticationProvider(authenticationProvider) 3
						.authenticationProviders(authenticationProvidersConsumer) 4
						.userInfoResponseHandler(userInfoResponseHandler) 5
						.errorResponseHandler(errorResponseHandler) 6
						.userInfoMapper(userInfoMapper) 7
				)
		);

	return http.build();
}
1 userInfoRequestConverter(): Adds an AuthenticationConverter (pre-processor) used when attempting to extract an UserInfo request from HttpServletRequest to an instance of OidcUserInfoAuthenticationToken.
2 userInfoRequestConverters(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter’s allowing the ability to add, remove, or customize a specific `AuthenticationConverter.
3 authenticationProvider(): Adds an AuthenticationProvider (main processor) used for authenticating the OidcUserInfoAuthenticationToken.
4 authenticationProviders(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationProvider’s allowing the ability to add, remove, or customize a specific `AuthenticationProvider.
5 userInfoResponseHandler(): The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OidcUserInfoAuthenticationToken and returning the UserInfo response.
6 errorResponseHandler(): The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the UserInfo Error response.
7 userInfoMapper(): The Function used to extract claims from OidcUserInfoAuthenticationContext to an instance of OidcUserInfo.

OidcUserInfoEndpointConfigurer`配置了`OidcUserInfoEndpointFilter`并将其注册到OAuth2授权服务器`SecurityFilterChain`@Bean`.OidcUserInfoEndpointFilter`是用于处理 UserInfo requests并返回 OidcUserInfo response的`Filter.

OidcUserInfoEndpointConfigurer configures the OidcUserInfoEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OidcUserInfoEndpointFilter is the Filter that processes UserInfo requests and returns the OidcUserInfo response.

OidcUserInfoEndpointFilter 配置了以下默认值:

OidcUserInfoEndpointFilter is configured with the following defaults:

  • AuthenticationConverter — An internal implementation that obtains the Authentication from the SecurityContext and creates an OidcUserInfoAuthenticationToken with the principal.

  • AuthenticationManager — An AuthenticationManager composed of OidcUserInfoAuthenticationProvider, which is associated with an internal implementation of userInfoMapper that extracts standard claims from the ID Token based on the scopes requested during authorization.

  • AuthenticationSuccessHandler — An internal implementation that handles an “authenticated” OidcUserInfoAuthenticationToken and returns the OidcUserInfo response.

  • AuthenticationFailureHandler — An internal implementation that uses the OAuth2Error associated with the OAuth2AuthenticationException and returns the OAuth2Error response.

您可以通过提供 OAuth2TokenCustomizer<JwtEncodingContext> @Bean 来自定义 ID 令牌。

You can customize the ID Token by providing an OAuth2TokenCustomizer<JwtEncodingContext> @Bean.

OpenID Connect 1.0 UserInfo端点是一个受OAuth2保护的资源,它*REQUIRES*获取访问令牌,作为持有者令牌发送到 UserInfo request中。以下示例展示了如何启用OAuth2资源服务器配置:

The OpenID Connect 1.0 UserInfo endpoint is an OAuth2 protected resource, which REQUIRES an access token to be sent as a bearer token in the UserInfo request. The following example shows how to enable the OAuth2 resource server configuration:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	...

	http.oauth2ResourceServer(resourceServer -> resourceServer.jwt(Customizer.withDefaults()));

	return http.build();
}

@Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
	return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}

一个 JwtDecoder @Bean 对于 OpenID Connect 1.0 UserInfo 端点 REQUIRED

A JwtDecoder @Bean is REQUIRED for the OpenID Connect 1.0 UserInfo endpoint.

指南 How-to: Customize the OpenID Connect 1.0 UserInfo response 含有有关如何自定义 UserInfo 端点的示例。

The guide How-to: Customize the OpenID Connect 1.0 UserInfo response contains examples of customizing the UserInfo endpoint.

OpenID Connect 1.0 Client Registration Endpoint

`OidcClientRegistrationEndpointConfigurer`提供了自定义 OpenID Connect 1.0 Client Registration endpoint的能力。它定义了让你能够自定义针对 Client Registration requestsClient Read requests进行预处理、主处理和后处理逻辑的扩展点。

OidcClientRegistrationEndpointConfigurer provides the ability to customize the OpenID Connect 1.0 Client Registration endpoint. It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for Client Registration requests or Client Read requests.

OidcClientRegistrationEndpointConfigurer 提供以下配置选项:

OidcClientRegistrationEndpointConfigurer provides the following configuration options:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.oidc(oidc ->
			oidc
				.clientRegistrationEndpoint(clientRegistrationEndpoint ->
					clientRegistrationEndpoint
						.clientRegistrationRequestConverter(clientRegistrationRequestConverter) 1
						.clientRegistrationRequestConverters(clientRegistrationRequestConvertersConsumers) 2
						.authenticationProvider(authenticationProvider) 3
						.authenticationProviders(authenticationProvidersConsumer) 4
						.clientRegistrationResponseHandler(clientRegistrationResponseHandler) 5
						.errorResponseHandler(errorResponseHandler) 6
				)
		);

	return http.build();
}
1 clientRegistrationRequestConverter(): Adds an AuthenticationConverter (pre-processor) used when attempting to extract a Client Registration request or Client Read request from HttpServletRequest to an instance of OidcClientRegistrationAuthenticationToken.
2 clientRegistrationRequestConverters(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter’s allowing the ability to add, remove, or customize a specific `AuthenticationConverter.
3 authenticationProvider(): Adds an AuthenticationProvider (main processor) used for authenticating the OidcClientRegistrationAuthenticationToken.
4 authenticationProviders(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationProvider’s allowing the ability to add, remove, or customize a specific `AuthenticationProvider.
5 clientRegistrationResponseHandler(): The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OidcClientRegistrationAuthenticationToken and returning the Client Registration response or Client Read response.
6 errorResponseHandler(): The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the Client Registration Error response or Client Read Error response.

OpenID Connect 1.0 客户端注册端点在默认情况下禁用,因为很多部署不需要动态客户端注册。

The OpenID Connect 1.0 Client Registration endpoint is disabled by default because many deployments do not require dynamic client registration.

OidcClientRegistrationEndpointConfigurer`配置了`OidcClientRegistrationEndpointFilter`并将其注册到OAuth2授权服务器`SecurityFilterChain`@Bean`.OidcClientRegistrationEndpointFilter`是用于处理 Client Registration requests并返回 OidcClientRegistration response的`Filter.

OidcClientRegistrationEndpointConfigurer configures the OidcClientRegistrationEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OidcClientRegistrationEndpointFilter is the Filter that processes Client Registration requests and returns the OidcClientRegistration response.

OidcClientRegistrationEndpointFilter 还处理 Client Read requests 并返回 OidcClientRegistration response

OidcClientRegistrationEndpointFilter also processes Client Read requests and returns the OidcClientRegistration response.

OidcClientRegistrationEndpointFilter 配置了以下默认值:

OidcClientRegistrationEndpointFilter is configured with the following defaults:

  • AuthenticationConverter — An OidcClientRegistrationAuthenticationConverter.

  • AuthenticationManager — An AuthenticationManager composed of OidcClientRegistrationAuthenticationProvider and OidcClientConfigurationAuthenticationProvider.

  • AuthenticationSuccessHandler — An internal implementation that handles an “authenticated” OidcClientRegistrationAuthenticationToken and returns the OidcClientRegistration response.

  • AuthenticationFailureHandler — An internal implementation that uses the OAuth2Error associated with the OAuth2AuthenticationException and returns the OAuth2Error response.

OpenID Connect 1.0 Client Registration端点是一个 OAuth2 protected resource,它*REQUIRES*获取访问令牌,作为持有者令牌发送到Client Registration (或Client Read)请求中。

The OpenID Connect 1.0 Client Registration endpoint is an OAuth2 protected resource, which REQUIRES an access token to be sent as a bearer token in the Client Registration (or Client Read) request.

客户端注册请求中的访问令牌 REQUIRES OAuth2 范围 client.create

The access token in a Client Registration request REQUIRES the OAuth2 scope client.create.

客户端读取请求中的访问令牌 REQUIRES OAuth2 范围 client.read

The access token in a Client Read request REQUIRES the OAuth2 scope client.read.

以下示例演示如何启用 OAuth2 资源服务器配置:

The following example shows how to enable the OAuth2 resource server configuration:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	...

	http.oauth2ResourceServer(resourceServer -> resourceServer.jwt(Customizer.withDefaults()));

	return http.build();
}

@Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
	return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}

一个 JwtDecoder @Bean 对于 OpenID Connect 1.0 客户端注册端点 REQUIRED

A JwtDecoder @Bean is REQUIRED for the OpenID Connect 1.0 Client Registration endpoint.